#8 The Zig and Zag of Zoom

More bad news about ClearView AI // Governments clutch pearls and power // Zoom lies through its teeth

There hasn’t been an issue of Ad Hominem since March, for all the reasons you can guess. The world’s attention, including mine, shifted rapidly to COVID-19, and now has whiplashed again to focus on the civil rights protests rocking major United States cities. The entire conversation around surveillance is shifting too, as nations push for some sort of ability to contact trace the disease, and as civil unrest boils up around us.

This issue is a catch-up on the last couple months of news about Zoom, in an attempt to gather a lot of the resources I’ve been reading to make sense of the company. I personally only have Zoom installed on my iPad where iOS sandboxes the application to a certain extent, and I refuse to install it on any of my personal computers with a general operating system. Despite their recent changes, I don’t like or trust the product, and they have a lot of ground to cover as they look to restore broken trust with consumers.

You’ve probably already been invited to several group calls on the ubiquitous video-chat service Zoom (The Verge). Coming out of nowhere like a Slack on crack, the videoconferencing startup has gone from 10 million daily users in December to over 200 million in March (Zoom blog). It’s being used by businesses, schools, and increasingly, just everyday people who want to talk in groups. Zoom handles voice cancellation very well, preventing cross-talk, and it allows everyone in the chat to see each other in a nice grid layout.

This growth hasn’t come without some blunders, though. Zoom has serious security issues which are worth knowing about, whether you use it for your business, for personal use, and especially if your kids use it at school. The product has been so insecure that the US Senate sergeant at arms had to issue a memo warning against use of the tool for reasons of national security (Politico) and Google has also banned the app’s use (The Verge). Password security was poor enough that hackers were able to confirm and then sell the login data of 500,000 Zoom accounts on dark web forums (BleepingComputer, Vice). In a dark twist of numeric synchronicity, Zoom exploits have also been sold on the dark web for as much as $500,000 (Vice).

First there was Zoombombing (The Verge, TechCrunch, Zoom Blog), where a security flaw allowed strangers to hop into other people’s group calls, often posting derogatory, racist, or obscene content before an admin had time to kick them out. Zoom responded by adding real-time reporting to the application, but not until after much harm was done (Mashable, NPR, TechCrunch, Schneier on Security).

A security flaw in software is one thing, but then the company came under scrutiny for its core architecture, in which some customer data was routed through servers in China (Business Insider, TechCrunch). The response for their CEO, claiming that they accidentally started using servers in China to accommodate load on their service, is embarrassing even if it is true. In response, the company now allow paying customers “opt in or out of a specific data center region,” and users outside of China will no longer be routed through Chinese servers (The Verge, Reuters, Zoom blog).

Zoom has a history of misrepresenting its encryption standards (The Intercept), installing backdoor software (The Verge, Twitter), and the company’s marketing department has even been sloppy enough with the facts that the company even had to retract its claim of 300 million DAU (Daily Active Users), correcting that as the number of participants, not active users (TechCrunch). Zoom also has some bad business practices around data used by advertisers. Despite no mention of the relationship in the T&C, it was found to be sending user data to Facebook, even for users who didn’t have Facebook accounts (Vice, Dev.io, Bloomberg) and it was linking users to their LinkedIn profiles as well (The Verge). The issues have been resolved now (The Verge, PC World).

These issues have caused Zoom to come under scrutiny from Senators Elizabeth Warren (D-MA) and Ed Markey (D-MA), who have asked for information around the company’s security practices and history, with a focus on data breaches and any Zoombombings in classrooms (The Verge). It’s even drawn the attention of the US FTC, which has launched a probe into the company’s data practices (Reuters), an investigation from the New York Attorney General (NYT), as well as widespread backlash in the press (The Verge, Doc Searls, The Citizen Lab). For more great analysis on Zoom, turn to Simon Pitt’s piece in OneZero (Medium).

Zoom is not alone, and despite its failings, the privacy-focused Mozilla ranked it higher than competitor House Party in a recent report (Mozilla). Zoom has also moved quickly to patch and update its software to address many of these concerns (The Verge). Still, the story highlights the harm done by companies who move too quickly to gain market share, at the cost of the people using their products. In fact, there is nothing particularly special about Zoom’s technology, and there are many competitors looking to get in on the action, equally as willing to sacrifice security for speed and growth (Sameer Singh, Medium). Zoom seems to have learned from some of its mistakes and is pointing the way toward an encrypted future for its tools. It has acquired privacy-focused chat service Keybase and announced its intentions to build the largest end-to-end encrypted network for enterprise communications (Zoom blog, TechCrunch).

I’m still distrustful of Zoom’s product, but they do now at least appear to be moving in the right direction. Most of the criticism of video conferencing is about how invasive or exhausting it is (Medium), but it’s also important that we run our lives and businesses on software that is secure and safe. Zoom’s data sharing practices are a perfect case study in what goes wrong when companies prioritize growth above everything else, and when users aren’t informed about security and just pick up the cheapest and easiest tools available.

I have some more updates in the near future planned on Banjo, Clearview AI, and other privacy related issues. If you’d like to see me write about a specific topic, let me know on Twitter.

Bits of News:

  • 🧿 Amazon is getting more involved with surveillance by bringing license plate reading as well as facial recognition to its Ring line of home security cameras and appliances (Ars Technica).

  • 🏛 Kirsten Gillibrand has proposed the formation of a consumer Data Protection Agency at the federal level (The Verge).

  • 🇨🇳 China continues to grab power and is using COVID-19 to further entrench its surveillance state (Reuters).

Ad Hominem is a blog and newsletter about Ad Tech, Privacy, and Surveillance Capitalism. It currently has no paid subscription. If you want to support this project, the best way is just to spread the word via Twitter or forwarding this email to a friend. You can also send me a tip on my BuyMeACoffee page.

If you have any feedback on this or any other issue of Ad Hominem, please let me know on Twitter. Thank you for your time and attention. I know it’s your most precious resource.

— Sam